--- /dev/null
+From 1fab1b89e2e8f01204a9c05a39fd0b6411a48593 Mon Sep 17 00:00:00 2001
+From: Markus Theil <markus.theil@tu-ilmenau.de>
+Date: Tue, 29 Oct 2019 10:30:03 +0100
+Subject: nl80211: fix validation of mesh path nexthop
+
+From: Markus Theil <markus.theil@tu-ilmenau.de>
+
+commit 1fab1b89e2e8f01204a9c05a39fd0b6411a48593 upstream.
+
+Mesh path nexthop should be a ethernet address, but current validation
+checks against 4 byte integers.
+
+Cc: stable@vger.kernel.org
+Fixes: 2ec600d672e74 ("nl80211/cfg80211: support for mesh, sta dumping")
+Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
+Link: https://lore.kernel.org/r/20191029093003.10355-1-markus.theil@tu-ilmenau.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -292,7 +292,8 @@ static const struct nla_policy nl80211_p
+ [NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
+ [NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
+ .len = IEEE80211_MAX_MESH_ID_LEN },
+- [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
++ [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_BINARY,
++ .len = ETH_ALEN },
+
+ [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
+ [NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
--- /dev/null
+From 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@redhat.com>
+Date: Fri, 18 Oct 2019 07:43:21 -0400
+Subject: rtlwifi: Fix potential overflow on P2P code
+
+From: Laura Abbott <labbott@redhat.com>
+
+commit 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 upstream.
+
+Nicolas Waisman noticed that even though noa_len is checked for
+a compatible length it's still possible to overrun the buffers
+of p2pinfo since there's no check on the upper bound of noa_num.
+Bound noa_num against P2P_MAX_NOA_NUM.
+
+Reported-by: Nicolas Waisman <nico@semmle.com>
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/ps.c
++++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
+@@ -781,6 +781,9 @@ static void rtl_p2p_noa_ie(struct ieee80
+ return;
+ } else {
+ noa_num = (noa_len - 2) / 13;
++ if (noa_num > P2P_MAX_NOA_NUM)
++ noa_num = P2P_MAX_NOA_NUM;
++
+ }
+ noa_index = ie[3];
+ if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
+@@ -875,6 +878,9 @@ static void rtl_p2p_action_ie(struct iee
+ return;
+ } else {
+ noa_num = (noa_len - 2) / 13;
++ if (noa_num > P2P_MAX_NOA_NUM)
++ noa_num = P2P_MAX_NOA_NUM;
++
+ }
+ noa_index = ie[3];
+ if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
--- /dev/null
+From b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f Mon Sep 17 00:00:00 2001
+From: Yihui ZENG <yzeng56@asu.edu>
+Date: Fri, 25 Oct 2019 12:31:48 +0300
+Subject: s390/cmm: fix information leak in cmm_timeout_handler()
+
+From: Yihui ZENG <yzeng56@asu.edu>
+
+commit b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f upstream.
+
+The problem is that we were putting the NUL terminator too far:
+
+ buf[sizeof(buf) - 1] = '\0';
+
+If the user input isn't NUL terminated and they haven't initialized the
+whole buffer then it leads to an info leak. The NUL terminator should
+be:
+
+ buf[len - 1] = '\0';
+
+Signed-off-by: Yihui Zeng <yzeng56@asu.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+[heiko.carstens@de.ibm.com: keep semantics of how *lenp and *ppos are handled]
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/mm/cmm.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/s390/mm/cmm.c
++++ b/arch/s390/mm/cmm.c
+@@ -306,16 +306,16 @@ static int cmm_timeout_handler(struct ct
+ }
+
+ if (write) {
+- len = *lenp;
+- if (copy_from_user(buf, buffer,
+- len > sizeof(buf) ? sizeof(buf) : len))
++ len = min(*lenp, sizeof(buf));
++ if (copy_from_user(buf, buffer, len))
+ return -EFAULT;
+- buf[sizeof(buf) - 1] = '\0';
++ buf[len - 1] = '\0';
+ cmm_skip_blanks(buf, &p);
+ nr = simple_strtoul(p, &p, 0);
+ cmm_skip_blanks(p, &p);
+ seconds = simple_strtoul(p, &p, 0);
+ cmm_set_timeout(nr, seconds);
++ *ppos += *lenp;
+ } else {
+ len = sprintf(buf, "%ld %ld\n",
+ cmm_timeout_pages, cmm_timeout_seconds);
+@@ -323,9 +323,9 @@ static int cmm_timeout_handler(struct ct
+ len = *lenp;
+ if (copy_to_user(buffer, buf, len))
+ return -EFAULT;
++ *lenp = len;
++ *ppos += len;
+ }
+- *lenp = len;
+- *ppos += len;
+ return 0;
+ }
+
usb-serial-whiteheat-fix-line-speed-endianness.patch
hid-fix-assumption-that-devices-have-inputs.patch
hid-fix-error-message-in-hid_open_report.patch
+nl80211-fix-validation-of-mesh-path-nexthop.patch
+s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch
+rtlwifi-fix-potential-overflow-on-p2p-code.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
